Despite the Unique Identification Authority of India (UIDAI) shirking its responsibility for safety and security of Aadhaar data, the internet is full of such records. A simple search can reveal Aadhaar data of hundreds, if not thousands, of the UID holders.

In fact, by using simple words like ‘Mera Aadhaar meri pehchan filetype:pdf’, you stumble upon detailed profiles of people uploaded online by third parties or agents.

The sites that have uploaded Aadhaar details of individuals for apparent public consumption include, among others:

On first page of the search results is StarCardsIndia.com, which seems to think that uploading entire application forms for obtaining permanent account number (PAN) of people in internet is ‘smart’ thing to do. This website is registered by one Krishna Chaitanya Mories for Desimobile Voice Labs Communications Pvt Ltd from Hyderabad, as per records from Who.is.

The data uploaded in PDF format includes, Aadhaar number, mobile number, email ID, address and photo, along with other personal details of the applicants.

Since Desimobile Voice Labs is registered in Hyderabad, we may think that it may be an agency helping people from that area to obtain PAN cards. However, the data we stumbled upon reveals that the applicants are from Bareilly, Darbhanga and Banda, mostly from Uttar Pradesh and Bihar. It is still fine, but why it needs to upload and publish all records of individuals in the public domain is not clear.]

Most shocking is a CancerCareTrust.org, which is found uploading all details of cancer patients like children and their parents online!

One college from Mirajapur even uploaded all data including Aadhaar number, mobile numbers of its teachers. The college have also uploaded self-attested scanned copies of Aadhaar on its website.

Is there any solution to this? Some may even ask, if this was not the case before Aadhaar. Yes, there were few instances. However, those pre-Aadhaar leakages were not able to disable a person from the entire system. Aadhaar has the capability as the UIDIA itself had admitted about deactivating 81 lakh UID numbers. As per the provisions of Sections 27 and 28 of Aadhaar Act, a person’s Aadhaar can be cancelled or deactivated if multiple Aadhaar have been issued, or there are discrepancies in the biometric data or supporting documents. But then who has verified or audited Aadhaar data collected by third parties, based on which UIDAI has been issuing the UID number?

Earlier this week, French security expert who goes under the pseudonym ‘Elliot Alderson‘ (@fs0c131y) had exposed vulnerabilities of Aadhaar and UIDAI and found almost 20,000 Aadhaar cards on the internet within three hours. The UIDAI, however, dismissed the claim in its usual fashion.

UIDAI, however, dismissed the claims. In its tweets, the authority said, “Publication of Aadhaar cards by some people have absolutely no bearing on UIDAI and not the least on Aadhaar security. Aadhaar as an identity document by its very nature needs to be shared openly with others as and when required and asked for. Aadhaar just like any other identity document, therefore, is never to be treated as a confidential document. Although Aadhaar has to be shared with others, it being a personal information like mobile number, bank account number, PAN card, passport, family details, etc, should be ordinarily protected to ensure privacy of the person.”